Passtokens are an optional ESF feature for communicating a user's identity between security domains. Passtokens let one
Enterprise Server component (an
enterprise server region or MFDS) signon to another
Enterprise Server component on behalf of a user, without requiring that user's normal credentials, typically a password.
In effect, a passtoken is a one-time or limited-time substitute for a user's password. A passtoken is associated with a user
signon group) when it is created, and can only be used to sign on as that user.
If passtokens are enabled, they can be used for the following purposes:
- Administrator convenience. When an administrator is signed on to either the MFDS administrative user interface or ESMAC, and
switches to the other, the component that the administrator is coming from sends a passtoken to the component the administrator
is going to. If the destination accepts the passtoken and the administrator has authority there, no manual signon is necessary
and the administrator can switch seamlessly between the two interfaces.
- Inter-system communication. Some MTO facilities allow users with the appropriate rights to invoke functions or programs in
other regions. In some cases these facilities can use passtokens rather than actual passwords, to avoid insecure storage and
transmission of passwords.
- Passtokens may be used for TN3270 automated sign-on using ELF or DCAS.
ESM Modules support passtokens. If you are using a module that does not support passtokens to verify users, user identities are not
automatically transferred across security domains, and users have to explicitly signon with their normal credentials in each
Note: To use ESF passtokens between components with separate security configurations, such as the Enterprise Server Administration
user interface hosted by
Micro Focus Directory Server (MFDS) and the ES Monitor & Control interface hosted in the region, the security configurations for both
components must be identical. Passtokens between components with differing configurations might work but are not supported.